LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-08-2007, 01:32 PM   #1
dwwiebe
LQ Newbie
 
Registered: Sep 2007
Posts: 4

Rep: Reputation: 0
How do I find out the RSA fingerprint of the server I want to connect to


I know that when connecting to a server using SSH for the first time you get a message like:

The authenticity of host 'nnn.nnn.nnn.nnn' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? no


And that once it is accepted, it is stored in ~/.ssh/known_hosts for comparison on the next connection attempts - This previous knowledge helps to avoid the "Man-in-the-middle" attack, from that point on.

What I would like to know is, how can I be sure in the first time I connect, that I am connecting to the right server, and not one "Man-in-the-middle" server?
I would like to know if there is a way to obtain the fingerprint on the server so that I can really be sure.

Thanks.
 
Old 10-08-2007, 02:26 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by dwwiebe View Post
What I would like to know is, how can I be sure in the first time I connect, that I am connecting to the right server, and not one "Man-in-the-middle" server?
I would like to know if there is a way to obtain the fingerprint on the server so that I can really be sure.
Maybe ask the server admin to pre-share the key via an out-of-band method such as a CD?

Last edited by win32sux; 10-08-2007 at 02:31 PM.
 
Old 10-08-2007, 02:36 PM   #3
bsdunix
Senior Member
 
Registered: May 2006
Distribution: Caldera, CTOS, Debian, FreeBSD, Mac OS X, Mandrake, Minix, OpenBSD, Slackware, SuSE
Posts: 1,757

Rep: Reputation: 78
Quote:
I would like to know if there is a way to obtain the fingerprint on the server so that I can really be sure.
It's called prior knowledge. Get with the SysAdmin of the remote host to obtain the fingerprint prior to connection, so that way you can compare what fingerprint is presented at connection time. Would you trust a fingerprint that's posted publicly on a web page that you've never seen?
 
Old 10-08-2007, 02:48 PM   #4
dwwiebe
LQ Newbie
 
Registered: Sep 2007
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by bsdunix View Post
It's called prior knowledge. Get with the SysAdmin of the remote host to obtain the fingerprint prior to connection, so that way you can compare what fingerprint is presented at connection time. Would you trust a fingerprint that's posted publicly on a web page that you've never seen?
Okay, Where does the admin of the server get this information from? What command must he/she run?

Thanks
 
Old 10-08-2007, 02:53 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by dwwiebe View Post
Okay, Where does the admin of the server get this information from? What command must he/she run?
If he's using RSA then it'll usually be the /etc/ssh/ssh_host_rsa_key.pub file.

So he basically just needs to give you a copy of that.
 
1 members found this post helpful.
Old 10-08-2007, 03:16 PM   #6
dwwiebe
LQ Newbie
 
Registered: Sep 2007
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
If he's using RSA then it'll usually be the /etc/ssh/ssh_host_rsa_key.pub file.

So he basically just needs to give you a copy of that.
Okay, I just check it and if I understood, I would append ssh_host_rsa_key.pub that I got from the admin of the remote server to my local copy of known_hosts. This way the warning:

The authenticity of host 'nnn.nnn.nnn.nnn' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? no


would never appear. That's great! This way I can be sure to what I am connecting from the beginning.

Only for the record: ssh_host_rsa_key.pub is NOT the fingerprint of the RSA Key - it is the RSA Key itself! And now I got curious: is there any tool that generates the fingerprint based on a given key?
 
Old 10-08-2007, 03:19 PM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by dwwiebe View Post
is there any tool that generates the fingerprint based on a given key?
Of course. To get the print do a:
Code:
ssh-keygen -l -f server-public-key.txt

Last edited by win32sux; 10-08-2007 at 03:21 PM.
 
3 members found this post helpful.
Old 10-08-2007, 03:32 PM   #8
dwwiebe
LQ Newbie
 
Registered: Sep 2007
Posts: 4

Original Poster
Rep: Reputation: 0
Thumbs up

Thanks win32sux
 
Old 10-08-2007, 03:34 PM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by dwwiebe View Post
Thanks win32sux
You're very welcome! BTW, welcome to LQ!!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH RSA key fingerprint with network Ephracis Linux - Security 19 02-26-2008 06:03 AM
SSHD NOT to send rsa fingerprint zeca_neca Linux - General 2 09-26-2007 05:56 PM
Multiple RSA Server Certificate Swakoo Linux - Newbie 14 07-20-2005 07:44 AM
SSH use RSA server through Firewall gtomczyk Linux - Security 1 09-11-2003 05:03 PM
Linux ssh with Windows RSA server gtomczyk Linux - Software 0 09-08-2003 04:22 PM


All times are GMT -5. The time now is 03:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration